The virus vigil
Many programs can help you keep your guard up and prevent future attacks
- By Mark A. Kellner
- Aug 28, 2002
You can run, it seems, but you can't hide from computer virus attacks, particularly in an enterprise.
A recent survey by ICSA Labs of Herndon, Va., concluded that the rate of malicious code infection continues to rise. Based on reports from 300 companies and government agencies, the survey found, among other factors:
- An increase in the number of multiple-vector threats, similar to Nimda
- The proliferation of host-based threats, with worms such as Code Red and Nimda reflecting a trend of malicious code that infects and propagates through Internet host computers
- The magnification of several things that contribute to rising infection rates, including new virus types, increased use of multiple e-mail programs, new replication vectors and expanded forms of connectivity.
So along with established and known viruses, it seems likely that new threats pose an even greater danger. Larry Bridwell, one of the survey's authors and content security programs manager at ICSA Labs, said: 'An unknown threat is much more likely to cause a virus disaster than a known threat, due to the speed at which viruses propagate. Antivirus vendors and end-user organizations can no longer take a reactive approach to combating these threats.'
This, in turn, is leading to increased sales of antivirus software. Researcher NPD Intellect of Reston, Va., reported retail 2001 sales of 8 million units of antivirus software, about a 60 percent increase over 2000.
Added Laura Garcia, a senior product manager at Symantec Corp.'s antivirus software division: 'If anything, the risk of virus infections and the threat to end users is increasing, and it's more severe now than a year and a half ago. What really has caused the virus threat to spread is we are living in an increasingly connected world. Everybody is on a network, and everyone is connected to the Internet.'No shock
With these factors in play, it's little surprise that the amount of time spent dealing with computer virus attacks'and the threat of them'is increasing. In a home or remote office, the problem can be a mere annoyance if the proper precautions have been taken, or it can be devastating. On an enterprise level, the effects can grow exponentially.
'When a worm or virus such as LoveLetter or Anna Kornukova or Melissa or Chernobyl strikes an enterprise, it can cost tens of millions of dollars,' said Steven Sundermeier, a product manager at Central Command Inc. 'You have the downtime, you have to shut down all e-mail servers, and you have the lost productivity.'
One reason for the increase in threats, Sundermeier said, is that virus authors'hackers seems too mundane a term'are becoming more and more sophisticated.
'Virus authors are getting a little smarter, knowing that if they can pique a user's curiosity it's more likely they will succeed,' he said. 'Now they can devise some kind of bogus patch or security update. One created a bogus Microsoft bulletin that mimicked the real thing almost to a T. It's getting pretty hard to decipher the fake from the real.'
Even the best-laid plans of some software vendors can sometimes lead to a false sense of security. Microsoft Corp.'s recently released Windows XP operating system and Office XP productivity suite offer some security improvements, but could fall short in crucial areas.
A case in point is Microsoft Outlook 2002, whose default settings block all executable (.exe) and script (.exe) files. But virus authors who know these settings can devise ways around them, Sundermeier said.
'A lot of these [worms and viruses] are being renamed; not every virus comes into a network as an .exe. The Alyssa Milano worm came in as a self-extracting Zip file; typically you will allow Zip files because they're harmless, but it operates the same way.'
Many large enterprises are installing firewalls and scanning programs on, or in front of, their network servers, but small office systems and remote users are now at the forefront of many virus attacks, either as victims or unwitting propagators of a virus.
'We've seen an evolution where the virus industry and the hacker industry have combined. And that requires a combined defense,' said Bob Hansmann, product manager for TrendMicro Inc.
What should users and managers look for when buying antivirus software? Adaptability, hands-free operation and updating are essential.Never-ending effort
Symantec's Garcia said: 'Antivirus software must constantly receive definitions when they become available from [the publishers'] response centers. It must always be updated without user intervention.'
Garcia also said it was important to scan incoming and outgoing e-mail. She added that virus removal should be easy and adaptable to handle script-based, Visual Basic or Java-based viruses without relying on a specific definition.
Such heuristic capabilities are increasingly popular among antivirus software publishers, and they are now found in several products listed in the accompanying chart.
What's next in the realm of virus attacks? Several experts say handheld computers and smart phones'so far excluded from virus attacks'are next on the list.
'Virus writers write for the technology to which they have access and then the technology that is most popular,' TrendMicro's Hansmann said. The formula for virus authors, he said, is vulnerability equals popularity and functionality of the device.
'There has never been a reported and confirmed real-world virus outbreak on a personal digital assistant. There have been attacks on those devices, but there have not been viruses,' he said. 'Nokia had somebody e-blast a Web link to [users] in Scandinavia; when they went to the site, it reprogrammed the keys. In Japan, there was a Short Message Service message; when they checked out the page, it got a Trojan that made the phone repeatedly dial the 911 system.'
The consensus seems to be this: At home or at work'even on a handheld'antivirus software is essential. Mark A. Kellner, a free-lance writer in Marina del Rey, Calif., has noticed an increase in virus attacks on his Internet-connected systems. But he's dodged infection so far; contact him at firstname.lastname@example.org.